On Thu, Dec 12, 2013 at 10:03 AM, Jonas Sicking <[email protected]> wrote: > On Tue, Dec 10, 2013 at 8:24 PM, Tab Atkins Jr. <[email protected]> wrote: >> On Wed, Dec 11, 2013 at 2:46 PM, Boris Zbarsky <[email protected]> wrote: >>> On 12/10/13 6:30 PM, Jonas Sicking wrote: >>>> >>>> I would also think that you need properties to position the ::popout. >>> >>> >>> Oh, yes. The extra fun here is: >>> >>> 1) Should the popout be able to paint outside the browser window? Right >>> now, comboboxes (select size=1) can but normal CSS boxes cannot. >>> >>> 2) The popout needs to pop out in different directions (up or down) >>> depending on the screen position of the anchor, the popout dimensions, and >>> the screen dimensions. >>> >>> 3) The size of the popout needs to be capped in some way. >>> >>> Maybe all that logic should just live in the UA and the page just needs a >>> way of saying "here is a popout thingie, anchor it here". >> >> Yes, the "popout thingy" probably needs to be a specialized 'display' >> value that is only valid on the popout pseudo, so we can bottle the >> magic precisely. > > Allowing the popout thingy to go outside of the browser window, while > at the same time allowing it to be heavily customized, scares me a > lot. At some it allows click-jacking parent windows. Or even rendering > input controls in the parent window and steal data that the user > thinks he's entering into the parent. > > Even just detecting where in the parent window the user is hovering > the mouse or clicking could leak critical data if the user is unaware. > > Can we define a subset of styles that are safe? > > I had imagined that we pretty quickly would fall back to rendering the > popout only inside the same window. Sadly.
Yeah, I imagine that while the popout is in the magic 'display' state, it only accepts a handful of text/bg properties. Considering the display modes of popouts in mobile browsers, that's about all we can allow anyway. You'd have to switch it to display:block or appearance:none or whatever to get full power, and then you lose the more magical aspects of popout behavior. (And browsers can always force it into the magical mode with a UA !important rule, which mobile browsers probably should do.) ~TJ
